Norton Password Manager hacked, warning users about breaches
Customers of NortonLifeLock are being notified that Norton Password Manager accounts are being breached by hackers, performed via breaches of accounts on other platforms.
An example authentication page
The notifications to customers of NortonLifeLock advise that hackers are successfully gaining access to Norton Password Manager accounts. However, it is claimed that the attacks were not caused by weak security in the Norton Password Manager systems, but instead via a third-party platform.
"Our own systems were not compromised. However, we strongly believe that an unauthorized third-party knows and has utilized your username and password for your account," the firm said in notices to customers, according to a letter sample shared with the Office of the Vermont Attorney General seen by BleepingComputer.
Specifically, the breach is known as a credential-stuffing attack, where an attacker acquires data from other sources, such as account compromises on other platforms, to try and gain access to the intended target.
In this instance, Norton saw detected an "unusually large volume" of failed login attempts on December 12, which usually indicates attempts at credential stuffing attacks. An internal investigation that ran until December 22 discovered that the attacks started from December 1, and that a number of accounts were successfully compromised.
While the number of affected accounts were not revealed, a statement from NortonLifeLock parent company Gen Digital revealed that approximately 925,000 inactive and active accounts could've been targeted in the attack.
Customers are warned in the notification that attackers may have obtained details stored in private vaults, which could lead to further compromises. Attackers may also have seen the account's first name, last name, phone number, and mailing address.
Norton has since reset passwords on impacted accounts, introduced additional measures to fend off attacks, and advises customers to enable two-factor authentication on their accounts. It also offers the use of a credit monitoring service.
The NortonLifeLock attack is the latest to be publicly known involving password locker services.
In December, LastPass confirmed that an August data breach involved names, addresses, and encrypted password data vaults. By late December, it was claimed that the vaults were potentially crackable for just $100.
Read on AppleInsider
An example authentication page
The notifications to customers of NortonLifeLock advise that hackers are successfully gaining access to Norton Password Manager accounts. However, it is claimed that the attacks were not caused by weak security in the Norton Password Manager systems, but instead via a third-party platform.
"Our own systems were not compromised. However, we strongly believe that an unauthorized third-party knows and has utilized your username and password for your account," the firm said in notices to customers, according to a letter sample shared with the Office of the Vermont Attorney General seen by BleepingComputer.
Specifically, the breach is known as a credential-stuffing attack, where an attacker acquires data from other sources, such as account compromises on other platforms, to try and gain access to the intended target.
In this instance, Norton saw detected an "unusually large volume" of failed login attempts on December 12, which usually indicates attempts at credential stuffing attacks. An internal investigation that ran until December 22 discovered that the attacks started from December 1, and that a number of accounts were successfully compromised.
While the number of affected accounts were not revealed, a statement from NortonLifeLock parent company Gen Digital revealed that approximately 925,000 inactive and active accounts could've been targeted in the attack.
Customers are warned in the notification that attackers may have obtained details stored in private vaults, which could lead to further compromises. Attackers may also have seen the account's first name, last name, phone number, and mailing address.
Norton has since reset passwords on impacted accounts, introduced additional measures to fend off attacks, and advises customers to enable two-factor authentication on their accounts. It also offers the use of a credit monitoring service.
The NortonLifeLock attack is the latest to be publicly known involving password locker services.
In December, LastPass confirmed that an August data breach involved names, addresses, and encrypted password data vaults. By late December, it was claimed that the vaults were potentially crackable for just $100.
Read on AppleInsider
Comments
Have noticed a large increase in spam emails starting about a week before Christmas. Wondering if a different database was hacked, or some company or companies running low on cash has been selling email addresses in a bid to make money.
I think this is going to be more common when we get more app stores with less oversight. Welcome to your future Europe. Also don’t use LifeLock, if its CEO can be hacked so can you.
https://www.wired.com/2010/05/lifelock-identity-theft/
The most secure option for managing your passwords is to use a password keeper app that keeps its data in an encrypted database stored locally on your device, and doesn't sync it to some cloud server. That's what I do.
If you're not doing any syncing do you just have the one device or are you manually recreating your vaults on each device? I can't reasonably be expected to recreate 1000s* of entries manually across devices, and then update passwords and secure data in each device when there's a single change so of course I use syncing. As someone who's been using 1Password for over 15 years I have far too much info in my vaults to want to waste time without any gain in security.
You do you, but don't conflate security with paranoia and try to balance with security with convenience so it can benefit your life, not hinder it.
* No, of course these aren't all logins. A great deal of the entries are for other data, too. I make extensive use of the Secure Notes section with Markdown formatting to keep a great many things I don't simply want hanging out in my Documents folder more secure.
If you are a multi-family household with a need for a shared vault for some passwords, take a look at 1Password.
You may as well claim "The most secure option is to print & store your passwords in a 500-lbs gun safe in your home." Yeah it's more secure from hackers, but...of much less use.